Sponsored by..

Tuesday 8 November 2016

Malware spam: "Statement" leads to Locky

Another terse fake financial spam leading to Locky ransomware:

Subject:     Statement
From:     accounts@somedomain.tld
Date:     Tuesday, 8 November 2016, 10:59

For your Information.
The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script (like this) named in a format similar to SLM245260-0214.wsf.

Hybrid Analysis of this one sample shows a download occurring from:

gpstrackerbali.com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG

There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56 and the malware appears to phone home to:

185.118.66.90/message.php (vpsville.ru, Russia)
158.69.223.5/message.php (OVH, Canada)


Recommended blocklist:
185.118.66.90
158.69.223.5

No comments: